Facebook has rushed to counter a security threat which saw public links providing direct access into users’ accounts.
A message on the Hacker News website exposed the bug, providing a search string that brought up a list of links to over 1.3 million Facebook accounts. They appeared to have been links that Facebook sends to users via email, indicating such emails had been leaked online.
In some cases, clicking on those links gave access to accounts without any need for a password. Facebook has now disabled the feature which allowed users to click on a link and go directly into their account.
“These are not URLs that we make publicly available,” said Matt Jones, from the Facebook security team. “We send them in notification emails to users – they’re designed to make it easier to log in if you click a link we sent to your email in a notification.
“It’s likely that Google came across these URLs by crawling pages where people publicly post the contents of their email (e.g. throwaway email sites, as someone pointed out – or people whose email addresses go to email lists with online archives).”
Jones said the “nonces” – the links – expired after a period of time and only work for certain users. “Even then we run additional security checks to make sure it looks like the account owner who’s logging in,” he added.
“Regardless, due to some of these links being disclosed, we’ve turned the feature off until we can better ensure its security for users whose email contents are publicly visible. We are also securing the accounts of anyone who recently logged in through this flow.”
Are you a security pro? Try our quiz!
Thoma Bravo agrees to acquire Darktrace for $5.32 billion in cash, delivering some welcome news…
Customer adoption of AI services embedded in cloud services continues to deliver results for Microsoft,…
TikTok's 'secret source' algorithm is so core to ByteDance, it would rather shut down US…
After relocating from California to Texas in 2020, Oracle's Larry Ellison now reveals plan to…
Share price hit after Meta admits heavy AI spending plans, after posting strong first quarter…
For third time Google delays phase-out of third-party Chrome cookies after pushback from industry and…